Gamaredon, a Russian state-sponsored cyber espionage group, has continued its digital assault against Ukraine, with recent attacks using the popular messaging app Telegram to target the country’s military and law enforcement.
In a report shared with The Hacker News, the BlackBerry Research and Intelligence Team stated, “The Gamaredon group’s network infrastructure relies on multi-stage Telegram accounts for victim profiling and confirmation of geographic location, and then leads the victim to the next stage server for the final payload.” This method of infecting target systems is novel.
Since at least 2013, Gamaredon, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, has been known for its attacks against Ukrainian entities.
During the Russo-Ukrainian conflict, Unit 42 of Palo Alto Networks disclosed the threat actor’s unsuccessful attempts to break into an unnamed petroleum refining company in a NATO member state.
The threat actor has employed Ukrainian government-issued Microsoft Office documents as bait in spear-phishing emails that deliver malware capable of stealing sensitive data.
These documents, when opened, load a malicious template from a remote source (a technique known as remote template injection), thereby circumventing the requirement to enable macros to breach target systems and spread the infection.
The most recent findings from BlackBerry indicate an evolution in the group’s strategy, as a hard-coded Telegram channel is used to retrieve the IP address of the server hosting the malware. The IP addresses are periodically changed to avoid detection.
To accomplish this, the remote template is designed to retrieve a VBA script, which then drops a VBScript file that connects to the IP address specified in the Telegram channel to retrieve the next stage – a PowerShell script that reaches out to a different IP address to obtain a PHP file.
This PHP file is tasked with contacting a second Telegram channel to retrieve a third IP address containing the final payload, which is a piece of information-stealing malware that Cisco Talos disclosed in September 2022.
Notably, the heavily obfuscated VBA script is only delivered if the IP address of the target is located in Ukraine.
“The threat group changes IP addresses dynamically, making it more difficult to automate analysis using sandbox techniques after the sample has aged out,” BlackBerry explained.
“The fact that the suspect IP addresses only change during working hours in Eastern Europe strongly suggests that the threat actor operates from a single location and most likely belongs to an offensive cyber unit that conducts malicious operations against Ukraine.”
The Computer Emergency Response Team of Ukraine (CERT-UA) has attributed a destructive malware attack against the National News Agency of Ukraine to the Russia-affiliated hacking group Sandworm.